Stored XSS in Opencart filemanager. Administrator can upload image with XSS in filename.
1. Browser: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0;
2. OS: Parrot Security 4.10.
Steps to reproduce:
1. Login as admin;
2. Go to Catalog -> Products;
3. Edit Product;
4. Click the Image tab;
5.Create a payload. It’s could be a .png file. Filename for example:
6. Upload file. XSS works.
Code: Select all
If this vulnerability is insignificant and the information can be published, please, let me know about it. Thanks!